What do you do with your first five minutes on a new server?

What are the things you do every time you log into a new Droplet for the first time? I'm always curious about how other people approach this. If you were to write your own Initial Server Setup guide, what would it include?

What do you do you lock down and secure your server?

What are the tools and utilities that you can't live without that aren't included in the default install?

install tmux
in iptables restrict ssh port to my office
update all packages & reboot
add new user with sudo and a public key
alter sshd_config to disable root login, and to require public key for all users

Install common dependencies required most of the time (git, build-essential)

Configure the mail server (postfix)

Install most of the debug tools I've used in my life, just in case (lsof, gdb, iotop, slurm, strace)

Harden SSH login

Setup fail2ban

Configure logrotate to rotate with dates instead of rolling numbers (easier for archive/backup)

Configure time-related stuff (tzdata, ntp, setting the time zone)

Setup terminal auto-logout after a few minutes of inactivity

Set a random root password (for console login only)

For all other roles, usually they start with ufw configuration, install the matching packages (+ the dbg packages when available, they can prove invaluably useful once every two years) and write the project-independant configuration files.

Byobu is an easy-to-use wrapper around the tmux (or screen) terminal multiplexer. This means that it makes it easy for you to open multiple windows and run multiple commands within a single terminal connection. This tutorial will cover how to install and configure Byobu as well as how to use its most common features.

About a year ago, I had a bash script that I would scp to the new server, run as root to do a few different tasks and create my personal user, then su to that user and finish up. It's a mess of case statements for CentOS 6, CentOS 7, and Ubuntu, so I needed something better. :)

Over the last three or four months, I've been learning Ansible and it's pretty easy to pick up. I have roles that do each of the following:

Set up a non-root user: SSH keys, git and other configuration files, sudo access.

A firewall role definitely needs added in there. I'm sure there are roles on Ansible Galaxy for most or all of the things I'm doing, but I learned it a lot better by writing my own and studying others'.

You can have:
a) master/minion config — which is what you said — minion needs remote master to work
b) masterless config — you can put states and pillar right inside your server and use it directly without master
c) you can use salt-ssh which works just like an Ansible. It logs into host, copies itself into it and executes defined states.

Since you said here "I execute setup.sh", it could be easier and better for you to use salt-ssh ;)